Israeli firm sees the spy agencies behind the sexy images

‘This looks like a fake one,” said Eyal Sela, head of threat intelligence at Tel Aviv-based firm ClearSky Cyber Security.

The Facebook profile on the screen of Sela’s computer is that of a dark-haired young woman, a low-cut white T-shirt and cut-off blue-jean shorts hugging her voluptuous body. Definitely pretty. On the side, there is a picture of the same young woman with a fun Snapchat face — mouse ears and snout. And there are other photos of her partying with her friends, liking links and commenting on posts. She’s formerly an IDF soldier, according to the profile, which also identifies the Israeli city in which she lives and other details.

Except she is not who she says she is. ClearSky’s Sela smoothly searches for the photographs on Google and, bingo, discovers that the images on the page are actually of a young Australian woman. The former IDF soldier identity profile is fake, the pictures stolen.

“Generally these fake profiles are of beautiful women who seek to friend men even if they don’t know them,” said Sela. “They gain their trust, coming across as a legitimate person, and then trick them into clicking on malicious links or a virus by texting them or sending them personal messages, asking them to read an interesting article perhaps, but with links to malicious websites. You think that person is legitimate, but actually it is an espionage agency, or some other party that wants access to your information.”

Similarly, according to a report released by ClearSky last month, the profile of a certain Jessica Cohen — named in Hebrew — is fake. The blond young woman featured with an low-cut orange tank top studied at Ben-Gurion University of the Negev, lives in Jerusalem and has a number of friends. She likes the Technion – Israel Institute of Technology and also the Friends of the IDF, a nonprofit organization. She also likes the right-wing Likud party. Cohen was tagged by her cousin Dina Sharon, also of the IDF, living in Haifa, who is a tagged cousin of Amanda Morgan. But both Amanda Morgan and Dina Sharon are fake Facebook profiles, according to ClearSky.

As of time of publication of the ClearSky report Amanda Morgan was still active, but the account is currently unavailable. She had thousands of friends and 2,630 followers, many of whom were Israeli, the report detailed.

The profiles were set up by a group called CopyKittens, which ClearSky believes is likely an Iranian threat agent.

“You can never know for sure the identity of the threat,” said Sela, “but through investigating traces left by these operators on the web — by looking at targeted people and organizations, language uses, tools and methods previously linked to the group or actor, the location of malicious servers, website registration detalis and source code, we can have a pretty good idea of who they are.”

The report released by ClearSky in July, called Wilted Tulip, was compiled jointly with Japanese multinational software firm Trend Micro Inc. It has tracked the activities of the Iranian threat agent group since it was founded in 2013, and says it has targeted victims using self-developed malware and hacking tools that it spreads via email with links to malicious websites or with malicious attachments.

The fake Facebook profiles that were set up were used to send out malicious links and aimed to build targets’ trust, the report said.

The objective of CopyKittens, said the report, is to gather as much information and data from target organizations as possible, gaining access to “large amounts of documents, spreadsheets, files containing personal data, configuration files and databases.”

A poster in ClearSky’s office spells Teheran. CopyKittens is believed to be an Iranian threat agent, the firm says (Shoshanna Solomon/The Times of Israel)

The group has also breached online news outlets and general websites by using the accounts to lay down so-called watering hole attacks, in which a hacker guesses or observes which websites the targeted organization is most likely to use, and infects those websites with malware, hoping that eventually some members of the targeted organization get infected.

ClearSky offers cybersecurity intelligence services to customers. “We are not a startup,” explained Sela. “We are a service company and we haven’t raised any funding.”

Founded almost seven years ago by Boaz Dolev, who formerly set up the Israeli government’s electronic services platform, e-Gov, ClearSky is also part of the Israeli Cyber Consortium, a group led by Israel Aerospace Industries that includes heavyweights like Check Point Software Technologies Ltd., Verint, and ECI Telecom Ltd., which provides a comprehensive basket of cybersecurity services to clients globally.

ClearSky’s clients include utility and financial companies in the United States, Portugal, Scotland, Spain, and Israel, as well as many financial, governmental and industrial institutions in Israel, according to the firm.

“We serve the top 50 corporations in Israel,” Sela said. Dolev helped design and build Israel’s first cybersecurity operation center, called Tehila, and ClearSky is helping set up a state Computer Emergency Response Team (CERT) in Central America.

Sela, 32, served in a medical unit of the Israeli Air Force during his army service, while 28-year old Sergey Shykevich, the head of research at the firm, served for 8.5 years in the elite 8200 IDF intelligence unit.

ClearSky employs some 15-20 people, most of whom come from IDF intelligence backgrounds, Sela and Shykevich said in a joint interview at their offices.

Simulating attacks, scouting for threats

The company provides clients with round-the-clock cyber intelligence alerts, cyber war games and advice on protecting their systems. They teach customers to identify threats and report them, practice threat scenarios and set out crisis management instructions for when an attack is underway.

“Advanced Persistent Threat attacks don’t happen every day, ” said Sela, “so people who are not in IT don’t really know what do or how to recognize they are under attack.”

Shykevich’s role is to research the threats: find out their origin, infiltrate groups on the dark net or on the regular web, via fake identities or avatars, to find out about plans for future attacks and alert clients ahead of time. ClearSky works closely with other companies and bodies, both locally and internationally, to get a fuller picture of the threat landscape. When its staff members see an attack or a hack they alert the company or institution in question, even if it is not their client.

“We send them an alert that they are being attacked,” Shykevich said. It helps those attacked protect themselves and it also allows Shykevich to better study the cases.

“It is mutually beneficial,” he said. “Sometimes, when investigating, you hit a dead end, but sometimes you get a lot of information. We try to find patterns of the attacks, catalog them to make some sense of it all.”

Data research firm MarketsandMarkets estimates the information security consulting market will grow at a compounded annual rate of some 10 percent, from some $16 billion in 2016 to some $26.2 billion by 2021.

Awareness is key to staying safe

“The market in which ClearSky Cyber Security is active is currently in a positive trajectory point and is expected to grow rapidly in the immediate future,” said Zirra.com, a Tel Aviv-based research firm that analyzes private companies using artificial intelligence and machine learning technologies, in a report.

However, the cybersecurity services space is crowded, Zirra.com said, with consulting firms like Deloitte, Ernst & Young and Accenture, and tech giant IBM, considered to be leading firms in the space.

Higher levels of awareness are the key to staying safe, said Sela and Shykevich.

“The cyber attacks through the internet are increasing exponentially, and depending on how important you are to the attackers, eventually they will likely succeed,” Sela said.